Bug#370302: [Pkg-cryptsetup-devel] Bug#370302: a better recommendation for cryptdisks.functions

Wed, 07 Jun 2006 14:11:39 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Why not change the semantics of /etc/crypttab so that the third column
> (keyfile) is interpreted as a script if the file exists and has the
> executable bit set.

This sounds ok

> If so, the script is executed and its stdout is
> piped to cryptsetup via stdin.

This sounds not ok, because if there is a key which needs to decrypt,
the decrypted key needs to save on a location during the process by
an own decrypt-script. You can see that it anyway must save. The
cryptdisks initscript are under the mountdevsubfs.sh initscript which
mount a tmpfs on "/dev/shm" (ah, I have linked it to /tmp). So the FS is
in the Memory (RAM) and I don't know any technics do restore any dates
from it. But the main problem is that anybody can have a key whith
'newlines' and that would not work with the getpass() function in
cryptsetup.

I know that my patch is not perfect but it can be an alternative while
an encryption and decryption for very long keys is implement in
cryptsetup self, so that nobody need gnupg or openssl.


PS: The ../examples/gen-ssl-key is not so intelligent (I know I have
    wrote it ;-), because the generated key have x<30<x standard
    characters (-----BEGIN DSA PRIVATE KEY-----). So a key-size from 128
    bit is reduced to x<98<x bit. In the attachment is a better
    replacment for example.


- - Markus Nass

- --
Key fingerprint = DC3C 257C 2B71 8FA4 F609  F7F7 7C14 F806 5665 77FD

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Was nicht fliegen kann, kann auch nicht abstürzen.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhz6ffBT4BlZld/0RAlPHAKCpjLlskYeuoZIq+iq1Hht4CRyc9QCeOp8t
9T64NeQcl+48qVzZVSi3+Zk=
=vseS
-----END PGP SIGNATURE-----

#!/bin/sh
#
# script to generate a keyfile that is encrypted twice with openssl
#
# Written 2005 by Markus Nass <[EMAIL PROTECTED]>
# Improved 2006 by Jonas Meurer <[EMAIL PROTECTED]>

usage() {
  echo "Usage: $0 <key>"
  exit 1
}

if [ "$1" = "" -o "$1" = "-h" -o "$1" = "--help" ]; then
  usage
fi

if [ -x /usr/bin/openssl ]; then
        key=`tempfile`
        dd if=/dev/random of=$key bs=1c count=256
        openssl enc -aes-256-cbc -e -salt -in $key -out $1
        rm -f $key
else
        echo "You have openssl installed?" && exit 1
fi

Attachment: decrypt_ssl.sh
Description: Bourne shell script

Reply via email to